Re: CA and smart card logon kerberos error

From: Tim Springston [MSFT] (tspring_at_online.microsoft.com)
Date: 07/15/04

  • Next message: Tim Springston [MSFT]: "Re: Anonymous logins"
    Date: Thu, 15 Jul 2004 13:42:34 -0500
    
    

    Hi Lars, Francesco-

    The error maps to the information below in the Troubleshooting Kerberos
    whitepaper. That whitepaper can be downloaded from
    http://www.microsoft.com/downloads/details.aspx?FamilyID=7dfeb015-6043-47db-8238-dc7af89c93f1&displaylang=en
    0x10 - KDC_ERR_PADATA_TYPE_NOSUPP: KDC has no support for padata type
    Associated internal windows error codes
              STATUS_UNSUPPORTED_PREAUTH

              STATUS_NOT_SUPPORTED

    Corresponding debug output messages
              D_DebugLog("KLIN(%x) No pre-auth data in TGS request - not
    allowed.\n")

    Possible Cause and Resolution:
              Smart card logon is being attempted and the proper certificate
    cannot be located. This can happen because the wrong certificate authority
    (CA) is being queried or the proper CA cannot be contacted.

           Resolution

    1. Verify that there is a functioning CA on the domain.

    2. Verify that the client can locate the CA.

    Please reply if you hance followup questions or concerns.

    -- 
    Tim Springston
    Microsoft Corporation
    This posting is provided "AS IS" with no warranties, and confers no rights.
    "Lars Olaussen" <Isolauss@hotmail.com> wrote in message
    news:O4VSAoMaEHA.2816@TK2MSFTNGP11.phx.gbl...
    > "Francesco B." <francesco.bragantini@phoenix-systems.it> wrote ...
    >
    > > I setup a CA on a Windows 2000 Server and I'm having a problem logging
    > > on the domain with smart cards. When I try to log on to the server
    > with
    > > Administrator account or any other account I get a Logon Message
    > saying
    > > "Network request not supported".
    > >
    > > I enabled account access auditing and kerberos auditing through
    > registry
    > > settings, so I could be able to tell where the problem was occuring.
    > > The more relevant event it showed was Kerberos error core
    > > 0x10 KDC_ERR_PADATA_TYPE_NOSUPP in the System log.
    > >
    > > Can you guys help me out, I'm stuck on this one; I thought that after
    > > installing and correctly configuring the CA, issuing certificates and
    > mapping
    > > these certificates to the respective domain users I should've been ok.
    > > Seems I'm not.
    >
    >
    > Francesco,
    >
    > I'm not familiar with Kerberos error codes, but I would think that your
    > problem
    > is that you have not issued Domain Controller Certificates to your DCs.
    >
    > A requirement for smartcard logon is that the DC you use for
    > authentication
    > must have a DC certificate (all DCs should have certificate, to be sure
    > that
    > you always authenticate with a DC with a certificate).
    >
    > When both EE and DC have valid certificates, you have to be sure that
    > CRLs for all certificates in the chain are available. This is needed
    > because
    > smartcard logon requires full certificate path validation.
    >
    > To check the certificate on the smartcard, without performing a logon,
    > you
    > can use this command:
    >
    > dsstore -checksc
    >
    > You can also verify domain controller certificates with this command:
    >
    > dsstore -dcmon
    >
    > This document should be a good reference if you still have problems:
    >
    >
    http://www.microsoft.com/windows2000/techinfo/administration/security/smrtcrdtr.asp
    >
    >
    > Regards,
    > Lars Olaussen
    > Isolauss@hotmail.com
    >
    >
    >
    

  • Next message: Tim Springston [MSFT]: "Re: Anonymous logins"

    Relevant Pages

    • Re: Windows Mobile & Certificates
      ... I was using HP iPAQ and the certificate was needed to sync with ... No matter what I've tried I could not make it work. ... the error codes I was getting on my iPaq but I know that it was ...
      (microsoft.public.windows.server.sbs)
    • Re: Windows Mobile & Certificates
      ... Can you tell me how you made self issued certificate to work on WM5? ... I was using HP iPAQ and the certificate was needed to sync with exchange ... error codes I was getting on my iPaq but I know that it was related to ...
      (microsoft.public.windows.server.sbs)
    • Re: Kerberos 5 certified under NIST 140-2.
      ... "Windows build of FIPS 1.1.1 is not thread-safe" which lead to some ... is the OpenSSL certificate. ... Kerberos 5 certified under NIST 140-2. ... Appendix A describes the documentation that is necessary. ...
      (comp.protocols.kerberos)
    • RE: LDAP SSL Problems (was: service script (/etc/init.d/ldap))
      ... For users of Fedora Core releases ... >> Your certificate creation method did not work. ... I have successfully gotten LDAP to run, ... Also still messing with kerberos and trying to get the nuances ...
      (Fedora)
    • Re: Accessing security information from an authentication provider
      ... There's no password to feed into kerberos or NTLM.. ... I'm not sure whether it's even possible to do KERB_CERTIFICATE_LOGON using a bare certificate/key pair, or if the kerberos provider will always try to call into the "Smart Card Module Functions" ... So to summarize in different terms, my goal is to "add" a way for AD's kerberos to give me a logon session and TGT, and leave other forms of auth alone. ... This problem reduces to "how do I get kerberos to work without a smart card or password" (but possibly with a certificate) ...
      (microsoft.public.platformsdk.security)